Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll

Overview

General Information

Sample name: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll
Analysis ID: 1431438
MD5: db4b8570e24a6820f9fc30bc34b75de4
SHA1: 8eec515e7c75b3879ada16cd5f397e7c588dc193
SHA256: 652e2c35d36d4b96fdda843b6339c185eab3263b0b8acdb6349df240d1b9f8e4
Tags: dll
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected VMProtect packer
Machine Learning detection for sample
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Avira: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll String found in binary or memory: http://www.2345.com/?15493
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll String found in binary or memory: http://www.2345.com/?15493Software
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll String found in binary or memory: http://www.hao123.com/?tn=50097079_1_hao_pg
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll String found in binary or memory: http://www.hao123.com/?tn=50097079_1_hao_pgaHR0cDovL3d3dy5oYW8xMjMuY29tLz90bj01MDA5NzA3OV8xX2hhb19wZ
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll String found in binary or memory: http://www.itmxc.com
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll String found in binary or memory: http://www.itmxc.com/member.php?mod=register

System Summary
barindex
Detected VMProtect packer
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Static PE information: .vmp0 and .vmp1 section names
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Binary or memory string: OriginalFilenameNCList.DLL< vs SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll
Uses 32bit PE files
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Static PE information: Section: .vmp2 ZLIB complexity 0.9891912286931818
Source: classification engine Classification label: mal56.winDLL@14/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllCanUnloadNow Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: atl100.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msvcp100.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: omng.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: uilib.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: atl100.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: msvcp100.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: omng.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uilib.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Static file information: File size 2216547 > 1048576
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Static PE information: Raw size of .vmp2 is bigger than: 0x100000 < 0x113000
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp2
PE file contains an invalid checksum
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Static PE information: real checksum: 0x12bb1c should be: 0x2286d4
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Static PE information: section name: .vmp0
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Static PE information: section name: .vmp1
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Static PE information: section name: .vmp2
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll
Source: SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll Static PE information: section name: .vmp2 entropy: 7.954667501881547
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.515774.17185.28729.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431438 Sample: SecuriteInfo.com.Variant.Te... Startdate: 25/04/2024 Architecture: WINDOWS Score: 56 19 Antivirus / Scanner detection for submitted sample 2->19 21 Detected VMProtect packer 2->21 23 Machine Learning detection for sample 2->23 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 9->17         started       
No contacted IP infos